To:
Bill Manning <bmanning@ISI.EDU>, edlewis@arin.net (Edward Lewis)
Cc:
dnsop@cafax.se, edlewis@arin.net
From:
Edward Lewis <edlewis@arin.net>
Date:
Thu, 10 Oct 2002 17:34:04 -0400
In-Reply-To:
<200210102036.g9AKaiq28525@boreas.isi.edu>
Sender:
owner-dnsop@cafax.se
Subject:
Re: the call for bind software
I'm preaching that we need to support the development of software that will enable us to do DNSSEC. We need mature software that will meet with the demands of production DNS services. This includes, but is not limited to, being able to keep up with demand (performance), be able to stay up (availability), be able to be configured (understandable), and be a full implementation of the service (functional). Do I want cybergenetic diversity? No, oddly enough. I don't want it - but it is a necessary evil. With it I am more assured that DNSSEC will be an available service, but the diversity on its own isn't of interest to an user. I do encourage cybergenetic diversity when I'm thinking about the protocol, but when I'm thinking about my servers, I only want to run the best version of DNS software. Yes, folks need to be looking at recursive servers. The authoritative servers are 44.5 kg weaklings compared to it. Authoritative servers do nothing but (at best) assemble responses to answers. Recursive servers have to follow referrals, chase down CNAMEs, perform KEY-SIG-DS-KEY-...-SIG validations, decide what to cache, etc. Recursive servers do the hard work. But that's not all we need to address. Tools, tools, tools. We need to make DNSSEC as simple as possible to use, but no simpler, and still be useful. (Twisting a trite statement about design.) I'm not sure we've identified the simplest way in which DNSSEC can work just yet. At 13:36 -0700 10/10/02, Bill Manning wrote: > AMEN. However, if this stuff is to be deployed at all, > it has to be working and stable. The sad fact is, that > in the absense of -anything- else, flawed snapshots will > be used by those trying to gain operational experience. > Sane people will -NOT- commit to production services on > snapshot code (generally). And for all its downsides, > BIND is still the reference implementation. To date, its > the only implementation that does the whole thing. > > So you seem to be intimating that this state of affairs > is delaying the release of what might be a deployable DNSSEC > solution. Or are you arguing for more "genetic" diversity > in DNS codebases? If so, folks should be looking beyond the > "low-hanging" fruit of a non-recursive server. > >--bill -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer #---------------------------------------------------------------------- # To unsubscripbe, send a message to <dnsop-request@cafax.se>.